Ghostery GDRP scre-up

The company behind Ghostery, a privacy-focused browser and an ad-blocking browser extension,  has apologized for a technical error that occurred last Friday when its staff was sending out GDPR-themed notification emails.

According to numerous user reports, Ghostery sent out emails that exposed the addresses of other users.

The emails were sent to batches of 500 users at the same time, and every user in each batch was able to see the email addresses of the other users.

Ghostery: It was a simple human mistake.

Ghostery realized the error on Friday, and after an investigation, explained on Saturday that the error was caused by an operator's mistake working with their new self-hosted email delivery platform for the first time.

Recently, we decided to stop using a third-party email automation platform. In an effort to be more secure, we wanted to manage user account emails in our own system, so we could fully monitor and control data practices surrounding them. Unfortunately, due to a technical issue between us and the email sending tool we chose, the GDPR email, which was supposed to be a single email to each recipient was instead sent to a batch of users, accidentally revealing the email addresses for each batch to all recipients of a batch by adding everybody directly in the “To” field. We sincerely apologize for this incident. We are horrified and embarrassed that this happened, and are doing our best to make sure it never happens again.

The company said it stopped email sending operations as soon as it realized what it happened, and published on Saturday instructions on how users could delete their Ghostery accounts. Ghostery profiles aren't mandatory for using Ghostery, so deleting accounts won't affect the company's products in any way.

Ironically, it was a GDPR email campaign that broke GDPR rules

The emails Ghostery was sending out included information about the company's new GDPR-related changes in its privacy policy. A copy of these emails are available on the company's blog.

Ironically, the incident caused Ghostery to break GDPR, a new user and data privacy regulation that come into effect in the EU last Friday, May 25, 2018 [Wikipedia article detailing protections; actual GDPR text].

The incident isn't as bad as it sounds, as only email addresses were exposed. It's more funny than an actual security breach.

Ghostery said it plans to report the incident to EU authorities, as the new GDPR directive mandates. While there's no way to accurately verify this, Ghostery may actually be the first company that reports a breach under the new GDPR rules.

Image credits: Ghostery

Related Articles:

Number of Third-Party Cookies on EU News Sites Dropped by 22% Post-GDPR

CCleaner Disregarding Settings and Forcing Update to Latest 5.46 Version

Study of 17,260 Android Apps Doesn't Find Evidence of Secret Spying

CCleaner 5.46 Released With Improved Privacy Options

Android Phones Expose Sensitive Data via Internal System Broadcasts